Will the EU Privacy Reform Boost Privacy Seal Adoption?
By Jay Cline, CIPP
The proposed regulation to replace the landmark EU Directive on Data Protection has generated keen interest in its proposed two-percent penalty on the revenues of noncompliant companies and a new "right to be forgotten." What has eluded most discussion, however, is the European Commission's heightened interest in institutionalizing privacy seals. This is noteworthy because privacy seals have been more popular in other regions, such as North America and Japan. Will this commission initiative be the kick that jump-starts adoption of privacy seals in the largely untapped European market?
Article 39 of the draft regulation states:
The Member States and the Commission shall encourage, in particular at a European level, the establishment of data protection certification mechanisms and of data protection seals and marks... The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms...
This landmark provision was inked at about the same time the French data protection authority (CNIL) amended its regulations to specify how it will begin issuing its own privacy seals. The CNIL seals will indicate compliance with French data protection laws.
"We are also seeing growing interest in Europe," Dave Deasy, vice president of marketing for TRUSTe, told Inside 1to1: PRIVACY, "for solutions to address the EU cookie directive as well as privacy certifications validating that customer data is collected and managed in accordance with the applicable country-level privacy requirements."
Is Europe on the verge of joining North America and Japan as the next market where privacy seals become a normal way for companies to demonstrate their privacy compliance? A look back at the paths other privacy seal programs have taken suggest this outcome may depend on three key factors--strong champions, field staff and simple products.
Lessons Learned from Japan
Japan's experience with privacy seals may be the most relevant for Europe. This is because of the more prominent role that the government in Japan played in spurring the adoption of privacy seals. According to the nonprofit Japan Information Development Processing Corporation (JIPDEC), more than 12,000 entities now fly its Privacy Mark. At a cost of USD$600 to $15,000--and a process that involves a document review and onsite assessment--this is a remarkable achievement. What led to this success?
The Privacy Mark program started in 1998 with 58 registrants--a strong beginning. Despite the lack of a national privacy law in Japan, the number of Privacy Mark holders grew steadily, hitting 803 by 2003. The 2003 passage and 2005 entry-into-force of Japan's Personal Information Protection Act was a tipping point for the program, however. By 2006, with recurring news of data leaks and enforcement actions entering Japanese headlines, the number of sealholders had mushroomed to 7,549. Flying this seal had by then become an indicator to government enforcement bodies and business partners that an organization had taken the appropriate due diligence steps to comply with PIPA. A cottage industry of roughly 1,000 field assessors had also sprouted in time to meet this growing demand. The combination of government enforcement of its privacy law, field assessors and a variable-rate and affordable product was the winning combination that offers lessons to Europe.
The North American Experience
The same year that JIPDEC enrolled its first members, the Better Business Bureau, TRUSTe and AICPA and CICA (American Institute of CPAs and Chartered Accountants of Canada) were ramping up operations of their own privacy seals. The Internet browser was only five years old at the time, and the dot-com bubble was nearing its peak.
As it turned out, the BBB program ceased operations by 2007 after a peak of about 700 customers. But the San Francisco-based TRUSTe flourished, expanding past 5,000 sealholders and 7,000 certified websites, applications and cloud services. TRUSTe experienced this growth in spite of any national privacy law in the U.S. and no direct government support. The cost of its seals ranges from less than $5,000 for small businesses with simple sites to more than $100,000, according to Deasy, for multinationals operating multiple websites, mobile apps, cloud services and behavioral advertising.
At the same time, the AICPA/CICA WebTrust online privacy seal was enlisting several dozen certifying accountancies to grant its audit-based seal among clients. The AICPA and CICA--whose members are based in North America but sometimes also have operations in Europe--has a distribution model similar to JIPDEC's. According to Christina Herwig, who administers the program for the CICA, a prospective client for a WebTrust privacy seal engages a CICA-member accounting firm to conduct the required audit for a fee that could vary widely. The accounting firm in turn pays an annual fee of $3,000 to the CICA.
Herwig reports that there are 11 active holders of their privacy-related seals and 60 clients who fly related confidentiality and availability seals. Brian Walker, who was instrumental in establishing the WebTrust program, explained the lower numbers are due to the fact that the program's audit criteria are high.
Could this mixed North American experience offer any predictors about the future path of privacy seals in Europe?
The formula that works for TRUSTe includes a transparent pricing and onboarding process and dedicated sales team. Meanwhile, the success factors for the AICPA and CICA are its reputable standards and distribution partners.
A Boon for EuroPrise?
The new EU regulation seems tailor-made to boost the visibility of the EuroPrise program administered by the data protection authority of the northern German state of Schleswig-Holstein. The EuroPrise program was seeded with a €1.3 million grant from the European Commission in 2007 and 16 pilot candidates. That said, five years later, the program--in spite of robust EU data protection legislation--now lists just two dozen sealholders. What could explain the slower growth? One factor appears to be the EuroPrise criteria, which are the strictest of the seal programs reviewed for this article. A second factor may be that prospective sealholders do not want to expose their gaps directly to a regulator.
The CNIL's newly announced program--with its promises of relatively quick turnaround times--seems poised to take advantage of the newfound commission interest in privacy seals. Sealholders who can meet the standards of the CNIL, reputed to be among the highest in Europe, may hope that this translates into higher credibility in general with other EU data-protection commissioners. That said, the CNIL's focus on compliance with French laws only could also limit the number of prospective sealholders to those with operations in France.
What will it take for privacy seals to succeed in Europe? Perhaps a combination of all of these factors-- including a core group of large EU-based multinational sponsors, a marketing and operations staff, incentives for independent field auditors, a transparent product and website and criteria that are not overly onerous--is what is needed to make the commission's proposal stick. Without a clear frontrunner, the field is wide open.
Jay Cline, CIPP, is a member of the IAPP Faculty and president of Minnesota Privacy Consultants.
Read more by Jay Cline:
ASU: A Privacy by Design hotbed
Privacy by Design primer for marketing pros
New wave of privacy regulation and enforcement
Broadening definitions of personal data portend greater scope of concern for privacy offices
GMAC: Navigating EU approval for advanced biometrics